Approximately 3 million Albertans have had personal information exposed in what is being described as one of the largest data breaches in Canadian political history. The incident, allegedly carried out by a separatist group operating as the Centurion Project, has now drawn a public statement from Prime Minister Mark Carney as political fallout escalates across federal and provincial lines.

What Happened

A separatist organization known as the Centurion Project allegedly obtained a list of electors connected to the Republican Party of Alberta and made the underlying personal information publicly accessible through a mobile application. The app has since been taken offline, but the data is presumed to have already been copied and redistributed. A journalist reportedly flagged the potential misuse of the electors list at the end of March 2026, yet enforcement action was not taken until the end of April. Elections Alberta has attributed the delay to changes introduced through Bill 54, which raised the threshold required to launch an investigation. The RCMP and Elections Alberta have opened formal investigations, and Prime Minister Mark Carney has weighed in publicly on the situation.

What Was Taken

The exposed dataset contains identity-grade personal information on roughly 3 million Alberta residents, including:

Because the source is an electors list, the records are tied to verified Canadian voters, increasing the value of the data for downstream identity fraud, social engineering, and political manipulation campaigns.

Why It Matters

This breach is significant beyond its raw scale. The data set originates from official elector records, meaning the information is high-fidelity and trustworthy from an attacker's perspective. The most immediate concern flagged by analysts is petition fraud: with verified voter details in hand, third parties could theoretically forge signatures onto political petitions, including the separatist petition tied to the alleged threat actor. Compounding the risk, Elections Alberta has stated that individuals cannot verify whether their name appears on a petition. Secondary risks include identity fraud against financial institutions, highly tailored scams that leverage real personal details to appear legitimate, and direct safety risks to vulnerable individuals such as those who have relied on address privacy to escape abusive situations.

The Attack Technique

Public reporting indicates this was not a traditional intrusion against a government system. The data appears to have moved from a legitimate electors list, accessed through political party channels connected to the Republican Party of Alberta, into the hands of the Centurion Project, which then exposed it via a publicly available mobile app. The vector is therefore better characterized as insider access or political-data misuse rather than external network compromise. The regulatory response was hampered by Bill 54, passed under the UCP government led by Premier Danielle Smith, which raised the evidentiary threshold required for Elections Alberta to open an investigation, allowing the exposure to persist for roughly a month after it was first flagged.

What Organizations Should Do

  1. Treat any organization handling voter rolls, membership lists, or political donor data as a tier-one identity asset and apply the same controls used for PII at financial institutions.
  2. Implement strict access logging and download throttling on electoral and party membership databases, with mandatory review of any bulk export.
  3. Review legal and contractual obligations governing redistribution of electors lists to political parties, and revoke access where downstream handling cannot be audited.
  4. For Alberta-based businesses, assume that names, addresses, phone numbers, and partial email data on roughly 3 million residents are now in adversary hands and tune fraud detection, KYC, and call-center verification accordingly.
  5. Issue guidance to staff and customers warning of targeted phishing and vishing campaigns that may reference accurate personal details to establish trust.
  6. Monitor underground forums and paste sites for redistribution of the Centurion Project dataset and coordinate with the RCMP and Elections Alberta investigations where exposure is observed.

Sources: Alberta Data Breach Update - by Cole Bennett - Cole.notcole